| File name: | AntDM-x64.2.14.0-setup.exe |
| Full analysis: | https://app.any.run/tasks/37cc97a0-d804-42e3-986b-0dcfee6a260b |
| Verdict: | Malicious activity |
| Analysis date: | September 14, 2024, 15:18:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 39B5B4131B16C3629036DCFE52B49CC5 |
| SHA1: | 86FC12DAE47650F30282CCF9E5EBC065D6C547D3 |
| SHA256: | E0EE30C215AF13020A2595FD2657FCC6823412C3CBFC93B3C7EE67849CA85409 |
| SSDEEP: | 786432:UGsugl9s+fh7di2go0r/F3tZv2rybYK0m3zh2:UGshl9sAdzgP93tZvRYNGI |
MALICIOUS
Changes the autorun value in the registry
- AntDM.exe (PID: 2572)
SUSPICIOUS
Reads security settings of Internet Explorer
- AntDM-x64.2.14.0-setup.tmp (PID: 6664)
Executable content was dropped or overwritten
- AntDM-x64.2.14.0-setup.exe (PID: 1104)
- AntDM-x64.2.14.0-setup.exe (PID: 6844)
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
- cmd.exe (PID: 6768)
Reads the Windows owner or organization settings
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
Uses TASKKILL.EXE to kill process
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
Starts CMD.EXE for commands execution
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
- AntDM.exe (PID: 2572)
- wscript.exe (PID: 6400)
The process executes VB scripts
- cmd.exe (PID: 1656)
Uses NETSH.EXE to add a firewall rule or allowed programs
- cmd.exe (PID: 5292)
Checks for external IP
- AntDM.exe (PID: 5920)
- svchost.exe (PID: 2256)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6400)
Executing commands from a ".bat" file
- wscript.exe (PID: 6400)
INFO
Create files in a temporary directory
- AntDM-x64.2.14.0-setup.exe (PID: 6844)
- AntDM-x64.2.14.0-setup.exe (PID: 1104)
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
- AntDM.exe (PID: 6704)
- AntDM.exe (PID: 2572)
Checks supported languages
- AntDM-x64.2.14.0-setup.exe (PID: 6844)
- AntDM-x64.2.14.0-setup.exe (PID: 1104)
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
- AntDM-x64.2.14.0-setup.tmp (PID: 6664)
- AntDM.exe (PID: 6704)
- AntDM.exe (PID: 2572)
- AntDM.exe (PID: 5920)
Process checks computer location settings
- AntDM-x64.2.14.0-setup.tmp (PID: 6664)
Reads the computer name
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
- AntDM-x64.2.14.0-setup.tmp (PID: 6664)
- AntDM.exe (PID: 2572)
- AntDM.exe (PID: 5920)
Creates files in the program directory
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
Reads Environment values
- AntDM.exe (PID: 6704)
- AntDM.exe (PID: 2572)
- AntDM.exe (PID: 5920)
Reads product name
- AntDM.exe (PID: 6704)
- AntDM.exe (PID: 2572)
- AntDM.exe (PID: 5920)
Creates files or folders in the user directory
- AntDM.exe (PID: 2572)
- AntDM.exe (PID: 5920)
The process uses the downloaded file
- cmd.exe (PID: 1656)
- wscript.exe (PID: 6400)
Creates a software uninstall entry
- AntDM-x64.2.14.0-setup.tmp (PID: 6716)
Reads the machine GUID from the registry
- AntDM.exe (PID: 5920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:06:03 08:09:11+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741376 |
| InitializedDataSize: | 159744 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.14.0.0 |
| ProductVersionNumber: | 2.14.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | AntGROUP, Inc. |
| FileDescription: | Ant Download Manager (x64) |
| FileVersion: | 2.14.0 |
| LegalCopyright: | ©AntGROUP Inc. |
| OriginalFileName: | |
| ProductName: | Ant Download Manager (x64) |
| ProductVersion: | 2.14.0 |
Total processes
139
Monitored processes
26
Malicious processes
5
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1060 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1104 | "C:\Users\admin\Desktop\AntDM-x64.2.14.0-setup.exe" /SPAWNWND=$70320 /NOTIFYWND=$503A8 | C:\Users\admin\Desktop\AntDM-x64.2.14.0-setup.exe | AntDM-x64.2.14.0-setup.tmp | ||||||||||||
User: admin Company: AntGROUP, Inc. Integrity Level: HIGH Description: Ant Download Manager (x64) Exit code: 0 Version: 2.14.0 Modules
| |||||||||||||||
| 1556 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | taskkill.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1656 | C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\AntDM\E8EC.tmp.vbs | C:\Windows\System32\cmd.exe | — | AntDM.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1944 | "C:\WINDOWS\system32\cmd.exe" /C rd "C:\Program Files\Ant Download Manager (x64)" | C:\Windows\System32\cmd.exe | — | AntDM-x64.2.14.0-setup.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 145 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2572 | "C:\Program Files\Ant Download Manager (x64)\AntDM.exe" torrent_winfirewall=true install lng=en | C:\Program Files\Ant Download Manager (x64)\AntDM.exe | AntDM-x64.2.14.0-setup.tmp | ||||||||||||
User: admin Company: AntGROUP Integrity Level: MEDIUM Description: Ant Download Manager Exit code: 0 Version: 2.14.0.88305 Modules
| |||||||||||||||
| 3984 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4732 | "C:\WINDOWS\system32\cmd.exe" /C move "C:\Program Files\Ant Download Manager (x64)\unins000.dat" "C:\Program Files\Ant Download Manager (x64)\" | C:\Windows\System32\cmd.exe | — | AntDM-x64.2.14.0-setup.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5244 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 488
Read events
3 399
Write events
79
Delete events
10
Modification events
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.2.0 | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\Ant Download Manager (x64) | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\Ant Download Manager (x64)\ | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Ant Download Manager (x64) | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: Selected Tasks |
Value: desktopicon | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: Deselected Tasks |
Value: quicklaunchicon | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | Inno Setup: Language |
Value: en | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | DisplayName |
Value: Ant Download Manager (x64) | |||
| (PID) Process: | (6716) AntDM-x64.2.14.0-setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{754CB6A3-3FE2-40DA-9FE5-2864909BD1CD}_is1 |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Ant Download Manager (x64)\AntDM.exe | |||
Executable files
193
Suspicious files
17
Text files
708
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\AntDM.exe | executable | |
MD5:256F72440E2762DD7C38D63CBDA24093 | SHA256:942FD5521078B092F1D5F1D57E10A86A25F3A34B93AB9DC828B3BB3EDDCFE456 | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\is-6PB0A.tmp | executable | |
MD5:1B8B3A03DDC5C7D08B98A0CEEC848B0A | SHA256:45C112E10FD5E4EF9242705D4D6422FB3E37441B5E0905A47FDE9F9602B12DE5 | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Users\admin\AppData\Local\Temp\is-8KES6.tmp\psvince.dll | executable | |
MD5:1F829CDF99A9FBE49AC6902597AD58B6 | SHA256:9A0E0E27E20DFB30792917FC9E64AAD05B0DECC5A65AEC5B2B4FD050E5B3CC2B | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\is-P1EB8.tmp | executable | |
MD5:1F829CDF99A9FBE49AC6902597AD58B6 | SHA256:9A0E0E27E20DFB30792917FC9E64AAD05B0DECC5A65AEC5B2B4FD050E5B3CC2B | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\is-EMOH7.tmp | executable | |
MD5:256F72440E2762DD7C38D63CBDA24093 | SHA256:942FD5521078B092F1D5F1D57E10A86A25F3A34B93AB9DC828B3BB3EDDCFE456 | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\psvince.dll | executable | |
MD5:1F829CDF99A9FBE49AC6902597AD58B6 | SHA256:9A0E0E27E20DFB30792917FC9E64AAD05B0DECC5A65AEC5B2B4FD050E5B3CC2B | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\unins000.exe | executable | |
MD5:1B8B3A03DDC5C7D08B98A0CEEC848B0A | SHA256:45C112E10FD5E4EF9242705D4D6422FB3E37441B5E0905A47FDE9F9602B12DE5 | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\is-ROIRB.tmp | text | |
MD5:02F8E0248B9BD3F2A477C56A23C67FA6 | SHA256:895603D093D4DA205ADAE122FB67C5F650C024AEA73748CBCC535FDD008DA8C8 | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\AntDM.lic | text | |
MD5:02F8E0248B9BD3F2A477C56A23C67FA6 | SHA256:895603D093D4DA205ADAE122FB67C5F650C024AEA73748CBCC535FDD008DA8C8 | |||
| 6716 | AntDM-x64.2.14.0-setup.tmp | C:\Program Files\Ant Download Manager (x64)\is-OA3B5.tmp | executable | |
MD5:8015016AF3724190B79BF3767654F189 | SHA256:6FD91AADA6BDD5E7A05A15CFC9782F8BA2011F57449A9C29E90BA7CFA8F4CB7D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
9
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6052 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5920 | AntDM.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line?fields=countryCode | unknown | — | — | shared |
— | — | GET | 301 | 142.250.186.132:443 | https://google.com/ | unknown | html | 220 b | — |
— | — | GET | 200 | 135.148.34.70:443 | https://antdownloadmanager.com/cgi/update.php?r=4a1153e5956696d1c584&id=%7B679D1718-51E1-4DC8-93D6-3F588850A7F3%7D&cver=2.14.0.88305&xver=64&os=10&osx=32&defbr=Microsoft+Edge+122&dlcnt=0&cdb=0&cyt=0&cvt=0&ctr=0&dld=0&lng=en&gcc=IQ&rs=1 | unknown | text | 300 b | — |
— | — | GET | 200 | 135.148.34.70:443 | https://antdownloadmanager.com/downloads/settings | unknown | text | 48 b | — |
— | — | GET | 200 | 142.250.186.132:443 | https://www.google.com/ | unknown | html | 192 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 52.191.219.104:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6052 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2120 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5920 | AntDM.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | shared |
5920 | AntDM.exe | 135.148.34.70:443 | antdownloadmanager.com | OVH SAS | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ip-api.com |
| shared |
antdownloadmanager.com |
| unknown |
www.google.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
2256 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
5920 | AntDM.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |